Bug #123877 for ExtUtils-ParseXS: Fwd: "Vulnerability" in Perl in the news

---------- Forwarded message ---------- From: Dave Rolsky <autarch@urth.org> Date: Sun, Dec 10, 2017 at 11:31 AM Subject: "Vulnerability" in Perl in the news To: perl5-porters@perl.org I use the word "vulnerability" in quotes, because press releases to the contrary, I'm not convinced there's anything exploitable here. However, this is getting reported as a "severe vulnerability" by websites for reasons I don't understand. No one will be surprised that this was some conference-driven research with the hype that unfortunately accompanies it. Anyway, here's a link to the paper - https://www.blackhat.com/ docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden- Exploitable-Behaviors-In-Programming-Languages-Using- Differential-Fuzzing-wp.pdf The one thing listed for Perl is that the ExtUtils::Typemaps::Cmd module's embeddable_typemap sub will eval anything you pass it in an attempt to load a module based on the strings it gets. This would only be a vulnerability if you wrote code that accepted arbitrary user input and passed it to that sub. But it's hard to imagine a case where that would happen. So I'd consider this a theoretical vulnerability at best. That said, patching this module to do some basic validation of the passed strings isn't a terrible idea. Cheers, Dave Rolsky http://blog.urth.org https://github.com/autarch